roots · swalkinshaw · Aug 29, 2021 · Aug 2, 2022
diff --git a/.github/actions/setup-step-ca/action.yml b/.github/actions/setup-step-ca/action.yml
diff --git a/.github/files/wordpress_sites.yml b/.github/files/wordpress_sites.yml
@@ -1,4 +1,4 @@
-letsencrypt_contact_emails:
+acme_ca_contact_emails:
   - admin@example.com
 
 wordpress_sites:
@@ -14,7 +14,6 @@ wordpress_sites:
       enabled: false
     ssl:
       enabled: false
-      provider: letsencrypt
     cache:
       enabled: true
   example-https.com:
@@ -29,6 +28,5 @@ wordpress_sites:
       enabled: false
     ssl:
       enabled: true
-      provider: letsencrypt
     cache:
       enabled: false
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -31,7 +31,6 @@ jobs:
       - uses: actions/setup-python@v2
         with:
           python-version: '3.9'
-      - uses: ./.github/actions/setup-step-ca
       - uses: roots/setup-trellis-cli@v1
         with:
           ansible-vault-password: 'fake'
@@ -50,7 +49,7 @@ jobs:
       - run: trellis exec ansible-playbook --version
         working-directory: example.com/trellis
       - name: Provision
-        run: trellis provision --extra-vars "web_user=runner letsencrypt_ca=https://127.0.0.1:8443/acme/acme" production
+        run: trellis provision --extra-vars "web_user=runner acme_ca_force_local_server=true" production
         working-directory: example.com
       - name: Deploy non-https site
         run: trellis deploy --extra-vars "web_user=runner project_git_repo=https://github.com/roots/bedrock.git" production example.com

diff --git a/.gitignore b/.gitignore
@@ -5,3 +5,4 @@ vendor/roles
 *.py[co]
 *.retry
 .trellis/virtualenv
+.trellis/root_certificates
diff --git a/dev.yml b/dev.yml
@@ -16,6 +16,7 @@
     - { role: xdebug, tags: [php, xdebug] }
     - { role: memcached, tags: [memcached] }
     - { role: nginx, tags: [nginx] }
+    - { role: ssl_certificates, tags: [ssl_certificates, ssl], when: sites_using_ssl | count }
     - { role: logrotate, tags: [logrotate] }
     - { role: composer, tags: [composer] }
     - { role: wp-cli, tags: [wp-cli] }

diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml
@@ -10,7 +10,13 @@ wordpress_env_defaults:
   domain_current_site: "{{ site_hosts_canonical | first }}"
   wp_debug_log: "{{ www_root }}/{{ item.key }}/logs/debug.log"
 
+ssl_defaults:
+  acme:
+    challenge:
+      type: http-01
+
 site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), item.value.env | default({}), vault_wordpress_sites[item.key].env) }}"
+site_ssl: "{{ ssl_defaults | combine(item.value.ssl | default({}) ) }}"
 site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | list }}"
 site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defined') | sum(attribute='redirects', start=[]) | list }}"
 site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}"

diff --git a/group_vars/development/main.yml b/group_vars/development/main.yml
@@ -1,4 +1,4 @@
-acme_tiny_challenges_directory: "{{ www_root }}/letsencrypt"
 env: development
+acme_ca_server: "https://127.0.0.1:{{ step_ca_port }}/acme/acme/directory"
 mysql_root_password: "{{ vault_mysql_root_password }}" # Define this variable in group_vars/development/vault.yml
 web_user: vagrant
diff --git a/group_vars/development/wordpress_sites.yml b/group_vars/development/wordpress_sites.yml
@@ -14,6 +14,5 @@ wordpress_sites:
       enabled: false
     ssl:
       enabled: false
-      provider: self-signed
     cache:
       enabled: false
diff --git a/group_vars/production/wordpress_sites.yml b/group_vars/production/wordpress_sites.yml
@@ -16,6 +16,5 @@ wordpress_sites:
       enabled: false
     ssl:
       enabled: false
-      provider: letsencrypt
     cache:
       enabled: false
diff --git a/group_vars/staging/wordpress_sites.yml b/group_vars/staging/wordpress_sites.yml
@@ -16,6 +16,5 @@ wordpress_sites:
       enabled: false
     ssl:
       enabled: false
-      provider: letsencrypt
     cache:
       enabled: false
diff --git a/roles/common/tasks/disable_challenge_sites.yml b/roles/common/tasks/disable_challenge_sites.yml
@@ -1,7 +1,7 @@
 ---
 - name: disable temporary challenge sites
   file:
-    path: "{{ nginx_path }}/sites-enabled/letsencrypt-{{ item }}.conf"
+    path: "{{ nginx_path }}/sites-enabled/acme-challenge-{{ item }}.conf"
     state: absent
   loop: "{{ wordpress_sites.keys() | list }}"
   notify: reload nginx
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
@@ -34,7 +34,7 @@
   loop_control:
     label: "{{ item.key }}"
   when: item.value.site_hosts | rejectattr('canonical', 'defined') | list | count
-  tags: [letsencrypt, wordpress]
+  tags: [ssl, wordpress]
 
 - name: Import PHP version specific vars
   include_vars: "{{ lookup('first_found', params) }}"

diff --git a/roles/letsencrypt/README.md b/roles/letsencrypt/README.md
diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml
diff --git a/roles/letsencrypt/library/test_challenges.py b/roles/letsencrypt/library/test_challenges.py
diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml
diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml